What's the current state of XMPP and OpenID Connect?
Uncategorized
9
Posts
3
Posters
0
Views
-
What's the current state of XMPP and OpenID Connect? My web search returned that ejabberd is still considering if and how to implement and Prosody has experimental alpha-stage support via a module. I couldn't find anything conclusive in regards to XMPP clients. What's with Gajim(?) and Conversations? Or other clients? Are there any web clients supporting OIDC?
-
What's the current state of XMPP and OpenID Connect? My web search returned that ejabberd is still considering if and how to implement and Prosody has experimental alpha-stage support via a module. I couldn't find anything conclusive in regards to XMPP clients. What's with Gajim(?) and Conversations? Or other clients? Are there any web clients supporting OIDC?
@fluchtkapsel the answer depends a bit on what you are trying to achieve. Authenticate against a third party? Throw the password away and log in with a session cookie? Give access to third parties to data on the XMPP server?
We do the session tokens with FAST.
Prosody has some support for giving third parties access to (scoped) data on the XMPP server and clients (Conversations and Gajim) aren't involved here. -
@fluchtkapsel the answer depends a bit on what you are trying to achieve. Authenticate against a third party? Throw the password away and log in with a session cookie? Give access to third parties to data on the XMPP server?
We do the session tokens with FAST.
Prosody has some support for giving third parties access to (scoped) data on the XMPP server and clients (Conversations and Gajim) aren't involved here.@daniel I have Keycloak running and ponder if I want to go for Prosody again but authenticating against Keycloak this time. This means, users are created and managed in Keycloak. My previous projects with Keycloak used OIDC for authentication. But the clients should be able to authenticate via OIDC otherwise this would be futile 🙂.
-
@daniel I have Keycloak running and ponder if I want to go for Prosody again but authenticating against Keycloak this time. This means, users are created and managed in Keycloak. My previous projects with Keycloak used OIDC for authentication. But the clients should be able to authenticate via OIDC otherwise this would be futile 🙂.
@fluchtkapsel Authenticating with oauth with a third party is not currently available. @mattj probably has the most insights into what steps we made into that direction yet.
Part of the problem is that we loose nice security features like channel binding by using web stuff.
-
@fluchtkapsel Authenticating with oauth with a third party is not currently available. @mattj probably has the most insights into what steps we made into that direction yet.
Part of the problem is that we loose nice security features like channel binding by using web stuff.
@daniel@gultsch.social @fluchtkapsel@nerdculture.de @mattj@floss.social Sure but if someone already uses external auth, being able to add xmpp to the stack would bring extra security features like global 2FA.
Here is my use case. I use LDAP for authentication and currently in the process of adding keycloak for oidc. XMPP at this point needs to stay with LDAP only, while it would be an added feature for me if it would support openid
-
@daniel@gultsch.social @fluchtkapsel@nerdculture.de @mattj@floss.social Sure but if someone already uses external auth, being able to add xmpp to the stack would bring extra security features like global 2FA.
Here is my use case. I use LDAP for authentication and currently in the process of adding keycloak for oidc. XMPP at this point needs to stay with LDAP only, while it would be an added feature for me if it would support openid
@muppeth @mattj @fluchtkapsel Sticking with LDAP would at least on paper leave the door open for channel binding.
2FA could be added to XMPP w/o involving web stack stuff.
I'm not fundamentally opposed to oauth. I'm just pointing out that the use case of oauth is convenience rather than added security. If we implement it wrong me might even loose security (channel binding).
-
@fluchtkapsel Authenticating with oauth with a third party is not currently available. @mattj probably has the most insights into what steps we made into that direction yet.
Part of the problem is that we loose nice security features like channel binding by using web stuff.
-
@fluchtkapsel @mattj Channel Binding ensures that client and server are in the same TLS session by mixing in unique stuff from the session into the password handshake. This is basically MITM protection for the TLS layer.
For more information the search keywords would be: SASL, SCRAM and Channel binding. The XEP is just negotiation and boring wrt the security aspects.
-
@fluchtkapsel @mattj Channel Binding ensures that client and server are in the same TLS session by mixing in unique stuff from the session into the password handshake. This is basically MITM protection for the TLS layer.
For more information the search keywords would be: SASL, SCRAM and Channel binding. The XEP is just negotiation and boring wrt the security aspects.
@fluchtkapsel @mattj there is also this talk in German that explains my motivation behind my push towards channel binding:
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@pierostrada salve, mi chiamo Sabrina e gestisco una raccolta fondi per una famiglia palestinese, ho già mandato loro soldi un paio di volte #EOraArrestateAncheMe
-
@GustavinoBevilacqua ma questi non sono plastificati, è il classico cartone dei pacchi piatti ikea
-
Siamo orgogliosi di aver manifestato per il popolo palestinese. E torneremo a farlo
> A tutti costoro che stanno utilizzando l’inchiesta sui presunti finanziamenti ad Hamas per sputare veleno contro quel mondo solidale che non ha chiuso gli occhi di fronte alla mattanza nella Striscia di Gaza
-
Wu Tang is for the children.
-
@mariosiniscalchi trasformare ipotesi improbabili e indimostrabili nella certezza che Putin si stava preparando a occupare l'Europea da Varsavia a Lisbona è tipico del pensiero bellicista che si basa sulla "certezza" che da altri esseri umani non possiamo aspettarci che il peggio, e quindi questo autorizza la nostra tribù a esprimere il peggio di sé, compresa la scelta di definire "impreparato" un blocco militare che esprime il DECUPLO della spesa militare russa e voleva espandersi fino a Kiev.
-
Per esperienza personale posso dirti che la colla Pritt stesa tra due fogli plastificati NON asciuga (resta come se fosse dentro allo stick) nonostante varie decine di kg appoggiati sopra.
Una soluzione potrebbe essere una serie di forellini nelle corrugature, in modo che la colla entri e faccia funghetto con quella fuori, ma credo non ci siano studi a riguardo (però per saldare l'acciaio funziona).
-
The quote comes from Philippe Geluck - not Ricky Gervais.
https://shkspr.mobi/blog/2020/04/who-do-you-think-you-are-kidding-mr-feynman/
-
@rubinjoni I gotta be honest - I never understood the gulag thing, even as someone who studied fascism, until I started encountering open fascists in my life. In my twenties, I just couldn't rationalize how ppl who'd wanted worker self governance and to share everything, ended up building gulags.
Now? I get it.
